The CyberWire Daily Podcast 11.1.24
Ep 2182 | 11.1.24

A push to debunk election disinformation.

Transcript

Georgia’s Secretary of State Pushes Social Media to Remove Russian Disinformation. CISA introduces its first international strategic plan. Microsoft issues a warning about the Quad7 botnet. Researchers uncover a zero-click vulnerability in Synology devices. CISA warns of critical ICS vulnerabilities. The U.S.and Israel outline the latest cyber activities of an Iranian threat group. Researchers track an online shopping scam operation called “Phish ‘n’ Ships.” A Colorado Pathology lab notifies 1.8 million patients of a data breach. Our guest is Gary Barlet, Public Sector CTO at Illumio, with a timely look at election security. Packing a custom PC full of meth.

Today is Friday November 1st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Georgia Secretary of State Pushes Social Media to Remove Russian Disinformation. 

Georgia’s Secretary of State, Brad Raffensperger, is calling on social media platforms, including X (formerly Twitter), to remove a fake video circulating on accounts linked to a known Russian disinformation network. The video falsely claims that Haitian immigrants are being issued U.S. identification to vote in Georgia. Disinformation experts quickly identified the source as Storm-1516, a Russian network connected to the Russian Presidential Administration. Despite being debunked by authorities, the video remains accessible on X, where it has spread to an account with nearly 650,000 followers.

Raffensperger issued a strong statement condemning the disinformation as an attempt to disrupt the 2024 U.S. presidential election. He expressed concerns over foreign interference aimed at fueling discord and requested cooperation from social media companies to counteract the disinformation. His office, in partnership with CISA and federal agencies, is actively monitoring and responding to these threats.

This incident reflects a broader trend. Last week, the ODNI, FBI, and CISA flagged another Russian-produced video falsely depicting election misconduct in Pennsylvania. Russian actors have repeatedly targeted Vice President Kamala Harris and Democratic nominee Tim Walz with AI-generated videos, amplifying divisive narratives. Raffensperger emphasized the importance of rejecting these tactics, stating, “As Americans, we can’t let our enemies use lies to divide us and undermine our faith in our institutions.”

CISA introduces its first international strategic plan. 

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced its first international strategic plan, aiming to build stronger global alliances against cyber threats. The plan focuses on three main goals: enhancing the resilience of foreign infrastructure critical to U.S. security, fortifying integrated cyber defense, and improving agency coordination on international efforts. In partnership with U.S. law enforcement, the State Department, and intelligence agencies, CISA seeks a unified global approach to cyber defense.

The strategy emphasizes transparency and accountability in the supply chain, requiring thorough assessments from international vendors to secure hardware, software, and communications. Experts praise the initiative, with Casey Ellis of Bugcrowd calling cybersecurity a “team sport” and James Scobey of Keeper Security noting its potential for robust global collaboration. This plan, they say, sets a critical foundation for shared threat intelligence, standardized security practices, and a stronger global digital ecosystem.

Microsoft issues a warning about the Quad7 botnet. 

Microsoft has issued a warning about the Quad7 botnet, also known as CovertNetwork-1658, a network of compromised SOHO routers primarily used by Chinese threat actors to steal credentials via password-spray attacks. Initially discovered by security researcher Gi7w0rm, Quad7 comprises hacked routers and networking devices, including those from TP-Link, ASUS, Ruckus, Axentra, and Zyxel. Once compromised, threat actors install custom malware that enables remote access over Telnet, with distinctive banners indicating the affected device.

Microsoft reports that Quad7 is used strategically, submitting minimal login attempts to avoid detection alarms. This approach has allowed actors like Storm-0940 to obtain and quickly exploit stolen credentials, often breaching networks and deploying further tools for persistence and data exfiltration. The exact method of router compromise is unclear, though Sekoia observed an OpenWRT zero-day exploit, suggesting that threat actors are utilizing advanced vulnerabilities to gain access.

Staying with Microsoft, Redmond is delaying the rollout of its AI-powered Windows Recall feature, initially set for October, to December for further testing. First announced in May, Recall captures and analyzes screenshots of active windows, allowing users to search them with natural language. However, concerns over privacy led Microsoft to implement opt-in usage, Windows Hello verification, and filtering for sensitive content. Microsoft also promises additional security measures, including anti-hammering and rate-limiting, to address feedback from customers and privacy advocates.

Researchers uncover a zero-click vulnerability in Synology devices. 

Dutch researchers have uncovered a zero-click vulnerability in Synology’s NAS devices, specifically in the preinstalled SynologyPhotos application. This flaw, which requires no user interaction, allows attackers to access devices, steal files, plant backdoors, or deploy ransomware, potentially locking users out of their data. The vulnerability affects Synology’s BeeStation devices as well as the widely-used DiskStation systems, which many individuals and businesses rely on for scalable data storage. Synology NAS devices have previously been targeted by ransomware groups, with attacks on DiskStation users reported as recently as this year. This discovery highlights the persistent cybersecurity risks associated with network-attached storage systems, which are increasingly targeted by ransomware campaigns.

CISA warns of critical ICS vulnerabilities. 

The US Cybersecurity and Infrastructure Security Agency (CISA) has advised manufacturing companies to implement security mitigations following the discovery of critical vulnerabilities in Rockwell Automation and Mitsubishi control systems. Key vulnerabilities include issues in Rockwell’s FactoryTalk ThinManager, allowing database manipulation and denial-of-service (DoS) attacks, and Mitsubishi’s FA Engineering Software Products, which could permit remote code execution. These flaws, with CVSS scores up to 9.8, are remotely exploitable with low complexity. CISA’s advisory includes mitigation measures and emphasizes defensive actions to minimize exploitation risks.

The U.S.and Israel outline the latest cyber activities of an Iranian threat group. 

The United States and Israel have issued a joint advisory detailing the latest cyber activities of Iranian threat group Emennet Pasargad, now operating under the name Aria Sepehr Ayandehsazan (ASA). Known to target Israel and Western nations, the group uses fronts such as Server-Speed and VPS-Agent to host servers and conceal operations. Recent ASA attacks included hacking French display systems during the 2024 Summer Olympics to spread anti-Israeli messages and compromising surveillance cameras in Israel and Gaza, with sensitive footage made available through private servers. Additionally, ASA reportedly contacted families of hostages taken by Hamas to inflict psychological harm. The group also hacked a U.S.-based IPTV service to distribute propaganda. Using AI for enhanced voice modulation and photo generation, ASA continues to evolve its tactics. U.S. officials have sanctioned the group, underscoring its role in state-sponsored influence operations across critical Western and Middle Eastern infrastructure.

Researchers track an online shopping scam operation called “Phish ‘n’ Ships.” 

HUMAN’s Satori Threat Intelligence and Research team uncovered an ongoing phishing scheme, “Phish ‘n’ Ships,” which has compromised over 1,000 legitimate shopping sites since 2019. Using fake product listings, the operation lures shoppers to fraudulent sites with high-demand items at bargain prices. Once on these fake sites, users’ payment data is stolen through compromised checkout processes, with the attackers often using legitimate payment processors to add credibility. Phish ‘n’ Ships has built 121 fake stores to funnel traffic, and attackers use SEO techniques to ensure listings appear high in search results. HUMAN has worked with partners to disrupt this scheme, removing some fake listings from Google and notifying affected payment processors. However, the operation remains active, and shoppers are advised to remain cautious of offers that seem too good to be true.

A Colorado Pathology lab notifies 1.8 million patients of a data breach. 

Six months after a Medusa ransomware attack, Colorado’s Summit Pathology Laboratory has notified 1.8 million patients of a data breach. The attack, which began when an employee clicked a phishing email, exposed patient names, addresses, Social Security numbers, and medical records. Medusa hackers claimed credit for the breach, but Summit has not disclosed if a ransom was paid. They worked quickly to secure their network and involved the FBI, preventing major disruptions. Since announcing the breach, Summit faces eight class-action lawsuits alleging negligence and seeking damages.

 

Next up, I talk elections with Illumio’s Gary Barlet. We discuss where elections are most vulnerable and the potential dangers beyond national elections.

We’ll be right back

Welcome back. A friendly reminder to make your voice heard on Tuesday in both our national and local elections. 

Packing a custom PC full of meth. 

And finally, our down-under desk reminds us that building a custom PC setup is easier than ever, but a Malaysian man took “creative assembly” to a new level. Recently, Australian authorities intercepted his DIY project: PC tower cases packed not with graphics cards but with 100 kilograms of meth. The drug-packed towers were shipped from Malaysia, arriving in Australia on October 16. When Australian Border Force officers examined the “computer equipment,” they found blocks of white powder hidden inside. Lab tests revealed the powder was meth, setting off a quick response from the Australian Federal Police.

The alleged smuggler showed up to pick up his “hardware” from a storage unit on October 30, where he was promptly arrested. Australian authorities estimated the meth-filled towers could have hit the streets as a million doses. Instead, this peculiar tech “upgrade” earned him a drug possession charge carrying a potential life sentence—no motherboard needed for that rig!

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.